Main Content

Detect and Isolate Faults in Aircraft Elevator Control System

Since R2024b

This example shows how to design a fault detection, isolation, and recovery (FDIR) application for a pair of aircraft elevators by using Stateflow charts.

A typical aircraft has two elevators, one on each side of the fuselage, attached on the horizontal tails. To enhance the safety of the aircraft, the elevator control system contains these redundant parts:

  • Four independent hydraulic actuators. Each elevator has an inner and outer actuator.

  • Three hydraulic circuits that drive the actuators. Each outer actuator has a dedicated hydraulic circuit. The inner actuators share a hydraulic circuit.

  • Two primary flight control units (PFCU). One PCFU controls the inner actuators and the other controls the outer actuators. The aircraft activates or deactivates PFCUs in response to faults.

If the aircraft is flying perfectly level, then the actuator position should maintain a constant value. The fault detection system registers a failure in an actuator if:

  • The position of the actuator increases or decreases by 10 cm from this zero point.

  • The actuator position changes at least 20 cm in 0.01 seconds.

The fault detection system also registers a fault in one of the hydraulic circuits if the pressure is out of bounds or if the pressure changes rapidly. In this example, the fault detection system checks that:

  • The pressure in the hydraulic circuit is between 500 kPa and 2 MPa.

  • The pressure changes no more than 100 kPa in 0.01 seconds.

Model Fault Detection, Isolation, and Recovery System

The sf_aircraft model uses several charts and subsystems to detect, isolate, and recover from faults.

Detect Faults

At the top level of the model, the Signal Conditioning and Failures subsystem provides the first layer of fault detection. The subsystem evaluates the rate of change for:

  1. The position of each actuator

  2. The pressure of each hydraulic circuit

If the subsystem detects an excessive rate of change in any of these components, it alerts the sf_aircraft_controller model reference.

In the model reference, the Mode Logic subsystem provides the second layer of fault detection. This subsystem contains a Stateflow that converts signals from Signal Conditioning and Failures into instructions for the isolation and recovery systems in the Actuator Controller subsystem.

The Mode Logic chart models the instructions as boolean signals. When a signal is true, the isolation and recovery systems execute the instruction.

On each step, the Mode Logic chart resets the instructions and computes new values by using the truth tables LeftSwitch and RightSwitch.

The truth tables instruct an actuator to turn off if one of these statements is true:

  • Only the connected hydraulic circuit fails.

  • Both the actuator and the connected hydraulic circuit fail.

The truth tables instruct an actuator to isolate if one of these statements is true:

  • The actuator fails but the connected hydraulic circuit does not.

  • Both actuators on the same side fail.

  • Both hydraulics on the same side fail.

For example, in the LeftSwitch truth table, the D1 column triggers when the first hydraulic circuit fails. Then, the second row in the Action Table executes by setting LOGoOff to true, instructing the isolation and recovery system to turn off the left outer actuator.

Isolate Faults

In the sf_aircraft_controller model reference, the Actuator Controller subsystem models fault isolation and recovery by using four subsystems, one for each actuator.

Each subsystem contains a chart linked from the library sf_aircraft_lib. The charts have identical states and transitions, but receive different signals. For example, the chart LeftOuterActuator defines the fault detection logic for the left outer actuator.

The actuator charts have four possible operating modes, represented as substates of the states On and Off:

  • Standby — The actuator is operational, but not active.

  • Active — The actuator is operational and active.

  • Recoverable — The actuator is temporarily non-operational. When the failure resolves, the actuator returns to Standby.

  • Isolated — The actuator is non-operational for the rest of the simulation.

In each chart, these inputs determine state activity:

  • GoOffFlag instructs the actuator to transition to the Off state.

  • StayOff instructs the actuator to stay in the Off state until the pressure of the connected hydraulic circuit is stable and within bounds.

  • GoIsoFlag instructs the actuator to transition to the Isolated state.

Each chart receives an additional input, StayOff, that reflects the pressure status of the connected hydraulic circuit.

By default, when the fault detection system turns off an actuator, the actuator transitions to the Recoverable state and the local data object Fails increments by 1. Once Fails equals five, the actuator transitions to Isolated instead.

Because Isolated has no exit transitions, an actuator in the Isolated state will not change operating modes unless you reset the fault system. In contrast, an actuator in the StayOff state transitions to the On state when StayOff indicates that the hydraulic circuit failure is resolved.

Recover from Faults

If an actuator becomes non-operational, the fault detection system attempts to recover from the fault by changing the active PFCU. For example, when you run the simulation, the outer actuators start in Active mode and the inner actuators start in Standby mode. If the left outer actuator experiences a hydraulic failure, the other actuators adjust in response.

  1. The left outer actuator turns off.

  2. The left inner actuator activates.

  3. The right inner actuator activates.

  4. The right outer actuator moves to standby.

The actuator charts use two inputs to evaluate transitions between Standby and Active:

  • SharedSideSensor represents the operating mode of the other actuator on the same elevator.

  • PairedSensor represents the operating mode of the matching actuator on the opposite elevator.

Observe Fault Management by Injecting and Resetting Faults

You can observe how the fault management system operates by injecting or resetting faults during simulation.

Inject Faults

To introduce actuator and hydraulic circuit faults during simulation, use the sliders at the top level of the model. When you inject a position sensor failure, the model rapidly changes the specified actuator position. When you inject a hydraulic pressure failure, the model rapidly decreases the specified hydraulic circuit pressure.

For example, to inject a fault in Hydraulic Circuit 1:

  • Return to the top level of the model.

  • In the Inject Hydraulic Pressure Failures box, slide H1 to the right.

The model responds to the failure:

  1. The Signal Conditioning and Failures subsystem detects the failure and alerts the sf_aircraft_controller model reference.

  2. In the model reference, the Mode Logic subsystem instructs the left outer actuator to turn off.

  3. The inner actuators become active.

  4. The right outer actuator moves to standby.

Reset Faults

To bring Hydraulic Circuit 1 back online, slide H1 to the left. The model removes the failure:

  1. The left outer actuator moves to standby.

  2. The inner actuators remain active.

  3. The model can now reactivate the outer actuators if the inner actuators fail.

To reset the model to a default state and override any Isolated states, click the Reset button.

References

Pieter J. Mosterman and Jason Ghidella, "Model Reuse for the Training of Fault Scenarios in Aerospace," in Proceedings of the AIAA® Modeling and Simulation Technologies Conference, CD-ROM, paper 2004-4931, August 16 - 19, 2004, Rhode Island Convention Center, Providence, RI.

Jason R. Ghidella and Pieter J. Mosterman, "Applying Model-Based Design to a Fault Detection, Isolation, and Recovery System," in Military Embedded Systems, Summer, 2006.

Related Topics

Go to top of page